Event Rule Threshold - False positives from 'Simulate event processing'

Kelly Logan
Kilo Sage

I have created two rules for CPU utilization,  one that creates a Warning severity alert for > 80 %, and one that creates a Critical severity alert for > 95%.

Threshold example.png

I put the 95% at order 150 so it would check for that first, then the 80% at order 200.

When I try to use 'Simulate event processing' on a past CPU event, it matches against the 95%, even when the amount is less than 95. Any ideas why? 

I even tried matching the value using (\d+) instead of (.*) to see if it would cast it to a numeric value. No change.

Any thoughts on how I can get this to work? We are on Yokohama. 

1 ACCEPTED SOLUTION

Kelly Logan
Kilo Sage

Two things: 

  1. I had not set the first rule to 'Apply additional matching rules'. Once I did, the 80-95% rule matched as well.
  2. The 'Simulate event processing' will still say matching on the first rule because apparently threshold is only evaluated *after* the matching and transformation steps, so now the simulated alert lists both a match for 95% and then a second match for the 80-95% rule.

View solution in original post

1 REPLY 1

Kelly Logan
Kilo Sage

Two things: 

  1. I had not set the first rule to 'Apply additional matching rules'. Once I did, the 80-95% rule matched as well.
  2. The 'Simulate event processing' will still say matching on the first rule because apparently threshold is only evaluated *after* the matching and transformation steps, so now the simulated alert lists both a match for 95% and then a second match for the 80-95% rule.